您的位置:首页  > 论文页面

基于渗透测试的XSS漏洞检测方法

发表时间:2018-05-31  浏览量:467  下载量:98
全部作者: 霍国庆,曹天杰
作者单位: 中国矿业大学计算机科学与技术学院
摘 要: Web漏洞已对多数网站产生严重威胁,其中跨站脚本(cross-site scripting,XSS)漏洞是对用户及网站损害较重的漏洞之一。针对现有动态检测XSS漏洞方法效率上的不足,提出一种改进的渗透测试检测方法。通过构造网页预处理模块,利用探子算法筛选掉不存在XSS漏洞的页面,同时提取输入点及输入点所在位置的最小对象,根据输入点的最小对象分类生成相应的攻击向量并分开存储,避免无效攻击向量的测试。另外,在URL参数检测XSS模块时,增加伪静态页面检测XSS,以减少漏报率。在此基础上,利用爬虫程序设计实现了该检测系统。实验结果表明,所提的检测系统在提高检测网页XSS漏洞效率上很有效。
关 键 词: 计算机应用;XSS检测;动态漏洞检测;网络爬虫;Web安全
Title: XSS vulnerability detection based on penetration testing
Author: HUO Guoqing, CAO Tianjie
Organization: School of Computer Science and Technology, China University of Mining and Technology
Abstract: Web vulnerabilities have posed a serious threat to most websites. Cross-site scripting (XSS) vulnerability is one of the most important vulnerabilities to users and websites. In order to overcome the shortcomings of the existing XSS vulnerability detection methods, this paper proposes an improved penetration testing method. By constructing a webpage preprocessing module, the XSS vulnerability page is filtered out by using the probe algorithm. At the same time, the injection points and the minimum object of injection points are extracted. According to the minimum object classification of injection points, the corresponding attack vector is generated and stored separately to avoid the test of invalid attack vectors. In addition, the XSS module for detecting URL parameters adds pseudo-static page detection of XSS to reduce the false negative rate. On this basis, the detection system is realized by using crawler program design. The experimental results show that the proposed detection system is effective in improving the efficiency of detecting XSS vulnerabilities.
Key words: computer applications; XSS detection; dynamic vulnerability detection; Web crawler; Web security
发表期数: 2018年5月第10期
引用格式: 霍国庆,曹天杰. 基于渗透测试的XSS漏洞检测方法[J]. 中国科技论文在线精品论文,2018,11(10):947-952.
 
0 评论数 0
暂无评论
友情链接